A hospital is sued for failure to take reasonable efforts to prevent a cyberattack that harmed an ED patient. Could the emergency physician (EP) also be liable?
“This is such a new phenomenon, there is no case law to serve as a basis for litigation. The outcome of any case would be solely based on the arguments made by the opposing lawyers,” says Kevin G. Rodgers, MD, president of the American Academy of Emergency Medicine. Rodgers is also professor of clinical emergency medicine and residency program director emeritus at Indiana University Health Methodist in Indianapolis.
Many states conduct peer review panels of potential malpractice cases before moving forward to court.
“A malpractice case clearly based on lack of patient records due to institutional failure to make them available due to cyberattack would be viewed by other EPs on the panel as a system failure,” Rodgers says. “They would find in favor of the physician.”
An EP does not have vicarious liability for a hospital, Rodgers emphasizes.
“The most defensible position for the EP in this scenario is that this is an institutional/system failure,” he says.
In any root cause analysis conducted after an adverse event, a variety of potential causes are assessed. One of these is system failure, Rodgers notes.
“Any legal liability directly related to medical malpractice that would have been clearly prevented by having patient records available lies purely with the institution, with the institution being solely liable,” Rodgers says.
No Access to Records
For EPs, lack of access to patient records isn’t unique to a cyberattack — it’s something they deal with on a daily basis.
“Residency-trained, board-certified, or board-eligible emergency medicine physicians are quite adept at obtaining the required information needed to appropriately care for patients from a variety of sources,” Rodgers says.
This includes calling extended-care facilities, family, other hospitals, pharmacies, or the patient’s primary care provider.
“EPs commonly have to make emergent decisions on less than total information,” Rodgers notes.
But what if the ED could have accessed a particular patient’s records if not for a cyberattack, and something in the records would have affected the treatment provided?
If an adverse outcome occurred in this scenario, “there is a possibility that a claim for professional negligence could be asserted,” according to David McHale, senior vice president and chief legal officer, The Doctors Company.
However, the plaintiff would have a difficult time successfully arguing that the EP should not have undertaken the emergency care until medical records of the patient could be accessed.
“This is certainly a reach,” McHale says. “In many instances, an ED must treat a patient without any access to records. It’s a reality of seeing patients on an emergent basis.”
If records are locked by “ransomware,” ED staff simply have to do the best they can under the circumstances, says William Sullivan, DO, JD, FACEP, an emergency physician at the University of Illinois in Chicago and a practicing attorney in Frankfort, IL. For example, patients can report allergies, which can be noted in written records. In complex patients, other facilities or primary care physicians could be contacted to fax records to the ED.
“The law requires us to act reasonably under whatever circumstances we are faced with,” Sullivan explains. “Obviously, we’re put at a disadvantage if we don’t have a patient’s old medical records.”
This circumstance would change the standard to which the EP would be held.
“It would be a good idea to note on the records somewhere that old medical records were not available due to IT problems, though,” Sullivan says.
If a lawsuit is filed several years later, the EP might not remember why he or she didn’t have access to the old records on that particular day, and what the EP did to mitigate the situation.
EPs are trained to be more cautious and conservative in their decision making and dispositions when there is potential missing information, Rodgers adds.
“This would include more liberal admissions, longer observation periods in the ED or observation units, and arrangement of closer follow-up with primary care physicians and specialists,” he says.
It is generally the hospital’s duty to maintain the security of the electronic medical record (EMR), Sullivan notes.
“If there has been a data breach, then there are also rules that hospitals must follow in order to mitigate the breach,” he says.
Under 45 CFR 164.404, a covered entity must notify any individual whose unsecured protected health information (PHI) has been breached, within 60 days of discovering the breach. This notification must include the nature of the breach, the type of information involved, and what steps the patients can take to protect themselves from possible harm.
If more than 500 unsecured patient records are affected, under 45 CFR 164.406 the hospital also has to notify prominent media outlets within 60 days of the discovery of the breach. In addition, under 45 CFR 164.408, all breaches of unsecured PHI must be logged and reported to the Department of Health and Human Services on at least a yearly basis.
“There are also specific penalties based on the type of breach — accidental vs willful — and how the information is used,” Sullivan says.
Under 45 CFR 160.404, hospitals can be fined up to $50,000 for each violation involving “willful neglect” of privacy practices. Unauthorized access of PHI with intent to sell or transfer the data for personal gain or malicious harm can lead to fines of $250,000 and up to 10 years in prison, pursuant to 42 U.S.C. § 1320d.
There is no individual cause of action against a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), says Deborah Hiser, JD, a partner with Husch Blackwell. The ED, as a HIPAA-covered entity, would be subject to civil penalties from the Office of Civil Rights if the patient’s protected health information were unsecured as defined by the National Institute of Standards and Technology rules.
“The analysis is also dependent on the facts and how the attack occurs,” Hiser says. “There are state breach of security system laws that would impose notice requirements to patients, as does HIPAA.”
Hiser says liability would depend on who is responsible for security of the EMR, and whether any PHI were further used or disclosed in violation of HIPAA.
“I would not think an individual physician would be liable under a malpractice theory,” she says. “This is an evolving issue. We do not yet know the extent of liability.”
Sullivan sees no liability for EPs unless the EP was somehow involved in the breach. One example of when an EP could face liability is if the EP shared his or her password with others, and that password was used to breach the EMR.
“That type of breach would likely result in access to a few medical records, not in the large-scale database breach experienced by the California hospital,” Sullivan notes.
If an EP accesses the EMR from home, it is possible that the EP’s home computer could be compromised as well, Sullivan adds. For example, keyloggers could capture passwords that the hacker later could use to access records from another site.
“The most important point in this regard is to log off when you’re done with the session and to change your password regularly,” Sullivan says. “It may not prevent a breach, but will decrease the likelihood of one happening.”
If the EP installs a program on a hospital computer or visits a malicious website, the program or website could install a virus or backdoor, providing hackers access to the hospital system.
“If the hospital has a policy regarding use of computers and other IT and the physician violates it, the physician could be subject to termination,” Sullivan says.
- Deborah Hiser, JD, Partner, Husch Blackwell, Austin, TX. Phone: (512) 703-5718. Email: .
- David McHale, Senior Vice President, Chief Legal Officer, The Doctors Company, Napa, CA. Phone: (707) 226-0289. Fax: (707) 226-0370. Email: .
- Kevin G. Rodgers, MD, Department of Emergency Medicine, Professor of Clinical Emergency Medicine, IU Health Methodist, Indianapolis. Phone: (317) 962-5975 Email: .
- William Sullivan, DO, JD, Frankfort, IL. Phone: (708) 323-1015. Email: .